3.10. Security Command Reference

This command creates a text description stored in the configuration file for a configuration context.

The no form of the command removes the string.

This command administratively disables the entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics, other than the administrative state. Many objects must be shut down before they can be deleted.

The no form of the command puts an entity into the administratively enabled state. Many entities must be explicitly enabled using the no shutdown command.

This command enables the context to configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

This command copies the specified user or profile configuration parameters to another (destination) user or profile.

The password is set to the return key and a new password at login must be selected.

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH servers are enabled.

The no form of the command disables FTP servers running on the system.

Whenever the user executes a save or info command, the system will encrypt all passwords, keys, and so on for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, it is obvious that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.

This command specifies the source address that should be used in all unsolicited packets sent by the application.

This command specifies the application to use the source IPv4 address specified by the source-address command.

The no form of the command removes the specified source address from the application, causing the application to use the system IP address as the source address.

This command specifies the application to use the source IPv6 address specified by the source-address command.

The no form of the command removes the specified source address from the application, causing the application to use the system IP address as the source address.

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.

The no form of the command disables Telnet servers running on the system.

This command enables Telnet IPv6 servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.

The no form of the command disables Telnet servers running on the system.

This command configures the rate at which the 7705 SAR sends ICMP replies to a source IP address in response to TTL expiry IP packets that have been received for all VPRN instances in the system and from all network IP interfaces. Packets include labeled user packets as well as ping and traceroute packets within a VPRN.

This command does not apply to MPLS packets or service OAM packets such as VPRN ping and trace, LSP ping and trace, and VCC ping and trace.

When the command is issued without any number and seconds parameters specified, the default rate is 100 ICMP reply packets sent per 10 seconds. The no form of the command disables the rate-limiting of ICMP replies.

This command enables the context to edit management access filters and to reset match criteria.

Management access filters control all traffic in and out of the CSM. They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of the command removes management access filters from the configuration.

This command enables the context to configure IP filter commands.

This command enables the context to configure IPv6 filter commands.

This command creates the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

This command is used to create or edit a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7705 SAR exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The no form of the command removes the specified entry from the management access filter.

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria, the configured default action is applied.

This command configures a destination TCP or UDP port number or port range for a management access filter match criterion.

The no form of the command removes the destination port match criterion.

This command configures flow label match conditions for a management access filter match criterion. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default QoS or real-time service.

This command applies to IPv6 filters only.

This command enables match logging.

The no form of this command disables match logging.

This command specifies the next header to match as a management access filter match criterion.

This command applies to IPv6 filters only.

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).

This command applies to IPv4 filters only.

The no form of the command removes the protocol from the match criteria.

This command configures a router name or service ID to be used as a management access filter match criterion.

The no form of the command removes the router name or service ID from the match criteria.

This command configures a source IPv4 address range to be used as a management access filter match criterion.

To match on the source IP address, specify the address and the associated mask (for example, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The no form of the command removes the source IP address match criterion.

This command configures a source IPv6 address range to be used as an management access filter match criterion.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address match criterion.

This command restricts ingress management traffic to either the CSM Ethernet port or any other logical port (port or channel) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.

The no form of the command reverts to the default value.

This command renumbers existing management access filter entries to resequence filter entries.

The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered from most to least explicit.

This command enables the context to configure a CPM (referred to as CSM on the 7705 SAR) filter. A CPM filter is a hardware filter (that is, implemented on the network processor) for the CSM-destined traffic that applies to all the traffic destined for the CSM CPU. It can be used to drop or accept packets, as well as allocate dedicated hardware queues for the traffic. The hardware queues are not user-configurable.

The no form of the command disables the CPM filter.

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. If there are no filter entries defined, the packets received will either be accepted or dropped based on that default action.

This command enables the context to configure IPv4 CPM filter parameters.

This command enables the context to configure IPv6 CPM filter parameters.

This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. A filter entry with no match criteria set will match every packet, and the entry action will be taken.

The create keyword must be used with every new entry configured. Once the entry has been created, you can navigate to the entry context without using the create keyword.

All IPv4 filter entries can specify one or more matching criteria. There are no range-based restrictions on any IPv4 filter entries.

For IPv6 filters, the combined number of fields for all entries in a filter must not exceed 16 fields (or 256 bits), where a field contains the bit representation of the matching criteria.

This command specifies the action to take for packets that match this filter entry.

This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled.

The no form of the command deletes the log ID.

This command enables the context to enter match criteria for the IPv4 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

This command enables the context to enter match criteria for the IPv6 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

The no form of the command removes the match criteria for the entry-id.

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of the command removes the DSCP match criterion.

This command configures a destination IPv4 address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the destination IP address match criterion.

This command configures a destination IPv6 address range to be used as an IP filter match criterion.

To match on the destination IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the destination IP address match criterion.

This command specifies the TCP/UDP port to match the destination port of the packet.

The no form of the command removes the destination port match criterion.

The TCP or UDP protocol must be configured using the match command before this filter can be configured.

This command configures fragmented or non-fragmented IP packets as an IP filter match criterion.

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion.

The ICMP protocol must be configured using the match command before this filter can be configured.

The no form of the command removes the criterion from the match entry.

This command configures matching on an ICMP type field in the ICMP header of an IP packet as an IP filter match criterion.

The ICMP protocol must be configured using the match command before this filter can be configured.

The no form of the command removes the criterion from the match entry.

This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.

The option type octet contains 3 fields:

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.

This command applies to IPv4 filters only.

This command configures matching packets that contain the option field or have an option field of 0 in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the option field in the IP header as a match criterion.

This command applies to IPv4 filters only.

This command specifies the IPv4 address to match the source IP address of the packet.

To match on the source IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.

The no form of the command removes the source IP address match criterion.

This command configures a source IPv6 address range to be used as an IP filter match criterion.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address match criterion.

This command specifies the TCP/UDP port to match the source port of the packet.

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The no form of the command removes the criterion from the match entry.

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP address.

The no form of the command removes the criterion from the match entry.

This command renumbers existing IP filter entries in order to resequence filter entries.

Resequencing may be required in some cases because the process is exited when the first match is found and the actions are executed according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Note: See the description for the admin-password command. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users are given access to this command.

Once the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is given unrestricted access to all the commands.

There are two ways to verify that a user is in the enable-admin mode:

This command enables the context to configure password management parameters.

This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

Note: See the description for the enable-admin command. If the admin-password is configured in the config>system>security>password context, then any user can enter the admin mode by entering the enable-admin command and the correct admin password.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

Note: The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets. User names and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@131.12.31.79/test/srcfile cf3:\destfile

In this example, the user name “test” and password “secret” will not be sent to the AAA servers (or to any logs). They will be replaced with “****”.

The no form of the command removes the admin password from the configuration.

This command configures the number of days a user password is valid before the user must change their password.

The no form of the command reverts to the default value.

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to the default.

This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.

The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The no form of the command reverts to the default authentication sequence.

This command enables the context to configure security password complexity rules.

This command allows a login name to be included as part of the password.

The no form of this command prevents a login name from being included as part of the password.

This command configures a credit value for each of the different character classes in a local password. When a password is created, credits are assigned for each character in a character class, up to the assigned credits limit. The credits each count as one additional character towards the minimum length of the password. This allows a trade-off between a very long, simple password and a short, complex one.

For example, if the password minimum length is seven and lowercase credits is set to 3, a password with four lowercase letters, such as “srty”, is accepted. The first three lowercase letters are each given a credit worth one extra character. Combined with the four characters in the password, the total reaches the minimum length. If lowercase credits is set to 2 instead of 3, only the first two lowercase letters are given credit. In this case, the “srty” password is worth only six characters (four characters plus two extra characters from credits) and would fail to reach the seven character minimum length.

The no form of this command removes all credit values.

This command enforces a minimum number of different character classes to be used in the password. The possible character classes are lowercase letters, uppercase letters, numbers, and special characters.

The no form of this command removes the minimum character class requirement.

This command configures the minimum number of characters required for passwords.

If multiple minimum-length commands are entered, each command overwrites the previously entered command.

The no form of the command reverts to the default value.

This command configures the maximum number of times a character can be repeated consecutively in a password.

The no form of the command resets to the default value, which removes the restriction on repeated characters in passwords.

This command configures the minimum number of characters from each character class that are required for a password to be valid.

The no form of the command removes the minimum required characters from each character class.

This command specifies that RADIUS and TACACS+ servers are monitored for 3 s each during every polling interval. Servers that are not configured will have 3 s of idle time. If a server is found to be unreachable, or a previously unreachable server starts responding, depending on the type of server, a trap will be sent.

The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server will be up if the last access was successful.

This command configures the number of previous passwords to save in the system. A new password is matched against every old password and is rejected if it is identical to a password in the history.

The no form of the command prevents password history matching.

This command configures the minimum required age of a password before it can be changed again.

The no form of this command removes the minimum password age requirement.

This command configures the minimum number of characters in a new password that must be unique from the previous password.

The no form of the command removes the unique character requirement.

This command creates a context to create user profiles for CLI command tree permissions.

Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.

Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user.

The no form of the command deletes a user profile.

This command specifies the default action to be applied when no match conditions are met.

This command is used to create a user profile entry.

More than one entry can be created with unique entry-id numbers. The 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of the command removes the specified entry from the user profile.

This command configures the action associated with the profile entry.

This command configures a command or command subtree.

Because the 7705 SAR exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

This command renumbers profile entries to resequence the entries.

Since the 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command, renumbering is useful to rearrange the entries from most explicit to least explicit.

This command creates a local user and a context to edit the user configuration.

If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.

When a new user is created and the info command is entered, the system displays a password with hash2 encryption in the output screen. However, when using that user name, there will be no password required. The user can log in to the system by entering their user name and then pressing ↵ at the password prompt.

Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the user name and null password field, so when the user name is changed, the displayed hashed value will change.

The no form of the command deletes the user and all configuration data. Users cannot delete themselves.

This command configures default security user template parameters.

This command grants a user permission for FTP, SNMP, or console access.

If a user requires access to more than one application, then multiple applications can be specified in a single command. Multiple commands are treated sequentially.

The no form of the command removes access for a specific application.

The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied; for example, no access ftp denies FTP access.

This command enables the context to configure user profile membership for the console.

This command allows a user to change their password for both FTP and console login.

To disable a user’s privilege to change their password, use the cannot-change-password form of the command.

The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of the command disables the login exec file for the user.

This command allows the user access to a profile.

A user can participate in up to eight profiles.

The no form of this command deletes access user access to a profile.

This command forces the user to change passwords at the next console or FTP login.

If the user is limited to FTP access, the administrator must create the new password.

The no form of the command does not force the user to change passwords.

This command configures the local home directory for the user for both console and FTP access.

If the URL or the specified URL/directory structure is not present, then a warning message is issued and the default is assumed.

The no form of the command removes the configured home directory.

This command configures the user password for console and FTP access.

The password is stored in an encrypted format in the configuration file when specified. Passwords must be encased in double quotes (" ") at the time of the password creation if they contain any special characters. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.

For example:

Note: In Release 7.0 and later, the hash and hash2 parameters are not supported.

This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.

If a home directory is not configured or the home directory is not available, then the user has no file access.

The no form of the command allows the user access to navigate to directories above their home directory.

This command enables the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.

All SNMPv3 users must be configured with the commands available in this CLI context.

The 7705 SAR always uses the configured SNMPv3 user name as the security user name.

This command configures the authentication and encryption method the user must use in order to be validated by the 7705 SAR. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with. The authentication protocol can either be HMAC-MD5-96 or HMAC-SHA-96.

This command associates (or links) a user to a group name. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.

This command enables the context to configure RADIUS authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the RADIUS configuration.

This command configures the algorithm used to access the set of RADIUS servers. Up to five servers can be configured.

In direct mode, the first server, as defined by the server command, is the primary server. This server is always used first when authenticating a request. In round-robin mode, the server used to authenticate a request is the next server in the list, following the last authentication request. For example, if server 1 is used to authenticate the first request, server 2 is used to authenticate the second request, and so on.

This command enables RADIUS accounting. The no form of this command disables RADIUS accounting.

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

This command configures RADIUS authorization parameters for the system.

The no form of this command disables RADIUS authorization for the system.

This command configures the TCP port number to contact the RADIUS server.

The no form of the command reverts to the default value.

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of the command reverts to the default value.

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher-indexed server is only queried if no response is received from a lower-indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of the command removes the server from the configuration.

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

This command specifies whether the user template defined by this entry is to be actively applied to the RADIUS user.

This command enables the context to configure TACACS+ authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the TACACS+ configuration.

This command enables TACACS+ accounting and configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.

This command configures TACACS+ authorization parameters for the system.

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from the lowest index to the highest index for authentication requests.

The no form of the command removes the server from the configuration.

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.

This command enables the context to configure 802.1x network access control on the 7705 SAR.

The no form of the command removes the 802.1x configuration.

This command enables the context to configure RADIUS server parameters for 802.1x network access control on the 7705 SAR.

The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7705 SAR. This configuration differs from the RADIUS server configured under the config>system>security>radius context that authenticates CLI login users who get access to the management plane of the 7705 SAR.

The no form of the command removes the RADIUS server configuration for 802.1x.

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of the command reverts to the default value.

This command adds an 802.1x server and configures the IP address, index, and key values.

Up to five 802.1x servers can be configured at any one time. These servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher- indexed server is only queried if no response is received from a lower-indexed server (which implies that the server is not available). If a response from a server is received, no other 802.1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of the command removes the server from the configuration.

This command configures the NAS IP address to be sent in the RADIUS packet.

The no form of the command reverts to the default value.

This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within.

The no form of the command administratively enables the protocol.

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

This command enables the context to configure the SSH server on the system. This command should only be enabled or disabled when no SSH session is running.

When the command is executed, an SSH security key is generated. This key is valid until either the node is restarted or the SSH server is stopped with the no ssh command and restarted. The key size is non-configurable and set at 1024 bits.

Quitting SSH while in the process of authentication is accomplished by either executing a ctrl-c or “~.” (tilde and dot), assuming the “~” is the default escape character for the SSH session.

This command enables the context to configure the list of allowed ciphers on the SSH client based on the SSH protocol version.

This command configures the allowed SSH protocol version 1 or version 2 ciphers that are available on the SSH client or server. Client ciphers are used when the 7705 SAR node is acting as an SSH client; server ciphers are used when the 7705 SAR node is acting as an SSH server.

The no form of this command deletes the specified cipher index.

This command specifies the persistence of the SSH server host key. When enabled, the host key will be saved by the server and restored following a system reboot. This command can only be enabled or disabled when no SSH session is running.

The no form of the command specifies that the host key will be held in memory by the SSH server and not be restored following a system reboot.

This command enables the context to configure the list of allowed ciphers on the SSH server based on the SSH protocol version.

This command enables the SSH servers running on the system.

This command specifies the SSH protocol version that will be supported by the SSH server. The server may be configured as Secure Shell Version 1 (SSH1), Version 2 (SSH2) or both. SSH1 and SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses the server as well as host keys to authenticate systems, whereas SSH2 only uses host keys. SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure, efficient, and portable version of SSH.

This command enables the context to configure keychain parameters that are used to authenticate protocol communications. A keychain must be configured on the system before it can be applied to a protocol session.

The keychain must include at least one key entry to be valid.

The no form of the command removes the keychain and all commands configured in the keychain context. If the keychain is associated with a protocol when the no keychain command is entered, the command will be rejected and an error indicating that the keychain is in use will be displayed.

This command specifies the stream direction on which the keys will be applied.

This command configures keys for both send and receive stream directions.

This command defines a key in the keychain. A keychain must have at least one key entry to be valid.

The key and algorithm keywords are mandatory when the entry is first created.

The no form of the command removes the entry from the keychain. If the key is the active key for sending, this command will cause a new active key to be selected (if one is available). If the key is the only possible send key, the command will be rejected and an error indicating that the configured key is the only available send key will be displayed. If the key is one of the eligible keys for receiving, it will be removed. If the key is the only eligible key for receiving, the command will be rejected and an error indicating that this is the only eligible key will be displayed.

This command specifies the calendar date and time after which the key specified by the keychain authentication key entry is used to sign and/or authenticate the protocol stream.

Each entry within a bidirectional keychain or for a keychain direction (if unidirectional keys are used) must have a unique begin time.

If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid.

This command enables options to be associated with the authentication key for IS-IS. The command is only applicable for IS-IS and will be ignored by other protocols associated with the keychain.

This command configures the amount of time that an eligible receive key overlaps with the currently active key. During that time, packets with either key will be accepted. Tolerance only applies to received packets. Transmitted packets always use the newest key, regardless of the tolerance value.

If a tolerance value is set for a key, the key is returned as part of the key set if the current time is within the key’s begin time, plus or minus the tolerance value. For example, if the begin time is 12:00 p.m. and the tolerance is 600 seconds, the new key should be included from 11:55 a.m. and the key to be replaced should be included until 12:05 p.m.

This command configures keys for send or receive stream directions.

This command enables the receive context. Entries defined under this context are used to authenticate packets that are received by the router.

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to authenticate the protocol stream.

This command enables the send context. Entries defined under this context are used to sign packets that are being sent by the router to another device.

This command enables the context to configure the TCP option number to be placed in the TCP packet header.

This command configures the TCP option number that will be accepted in the header of received TCP packets.

This command configures the TCP option number that will be inserted in the header of sent TCP packets.

This command enables the context to configure the session control for console, Telnet, and FTP.

This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of the command disables exponential-backoff.

This command enables the context to configure FTP login control parameters.

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of the command reverts to the default value.

This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.

By default, an idle FTP, console, or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.

The no form of the command reverts to the default value.

This command enables or disables the display of a login banner. The login banner contains the 7705 SAR copyright and build date information for a console login attempt.

The no form of the command causes only the configured pre-login-message and a generic login prompt to display.

This command creates the message of the day that is displayed after a successful console login. Only one message can be configured.

The no form of the command removes the message.

This command creates a message displayed prior to console login attempts on the console via Telnet.

Only one message can be configured. If multiple pre-login messages are configured, the last message entered overwrites the previous entry.

The system name can be added to an existing message without affecting the current pre-login message.

The no form of the command removes the message.

This command enables the context to configure SSH login control parameters.

This command disables graceful shutdown of SSH sessions.

By default, SSH always performs a graceful shutdown on a TCP connection. When graceful shutdown is disabled, SSH sends a FIN message and then immediately terminates the connection.

The no form of the command enables graceful shutdown of SSH sessions.

This command limits the number of inbound SSH sessions. Each 7705 SAR router is limited to a total of 15 inbound SSH sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

This command limits the number of outbound SSH sessions. Each 7705 SAR router is limited to a total of 15 outbound SSH sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

This command enables the context to configure the Telnet login control parameters.

This command enables graceful shutdown of Telnet sessions.

When graceful shutdown is enabled, Telnet sends a FIN message and waits for an acknowledgment before terminating the TCP connection.

The no form of the command disables graceful shutdown of Telnet sessions.

This command limits the number of inbound Telnet sessions. Each 7705 SAR router is limited to a total of 15 inbound Telnet sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

This command limits the number of outbound Telnet sessions. Each 7705 SAR router is limited to a total of 15 outbound Telnet sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

This command configures TTL security parameters for incoming packets. When the feature is enabled, SSH or Telnet connections will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer.

The no form of the command disables TTL security.

This command displays SNMP access group information.

This command displays system login authentication configuration and statistics.

This command displays SNMP communities and characteristics.

This command displays information on CPM (CSM) filters.

If an entry number is not specified, all entries are displayed.

This command displays information about keychains.

If a keychain name is not specified, all keychains are displayed.

This command displays management access control filter information.

If no specific entry number is specified, all entries are displayed.

This command displays configured password options.

This command displays user profile information.

If the user-profile-name is not specified, then information for all profiles is displayed.